Information security researchers have had their work cut out for them lately with regard to tracking cryptocurrency-related malware and its proliferation.
A few days ago, security consultant Xavier Mertens rang the alarm bells on a new piece of malware that mines for cryptocurrency but not before expelling any other malware potentially residing on the system at the time.
The alert was posted on the SANS Internet Storm Center security forums.
“The purpose is to download and execute a crypto miner but the code also implements a detection mechanism to find other miners, security tools or greedy processes (in terms of CPU cycles). Indeed, crypto miners make intensive use of your CPUs and more CPU resources they can (ab)use, more money will be generated,” Mertens wrote.
He added that “the fight for CPU cycles started,” noting that this particular software kills off whatever other malware could be competing with it for resources.
In essence, the mechanism is simple. The malware just needs to scan for a process called “AMDDriver64”, which is often used by miners.
It is not enough to kill that particular process, though. Instead of just mining along, it continues to scan the system for other known payloads and malware that made intense use of the CPU.
The scan list includes not only well-known miners like XMRig and Claymore (nscpucnminer64) but also fake processes used by malware such as “taskngr” (meant to mimick the task manager process “taskmgr”) and “win1ogin” (a fake for the Windows Login process “winlogin”).
The emergence of so much malware related to cryptocurrencies — especially those that use victims’ CPUs to mine digital coins — fulfills the prophetic prediction of a Symantec researcher who said that crypto mining malware “could become more profitable and expand” this year.